CVS commit: pkgsrc/www/drupal6

[Adrian Portelli <adrianp%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adrianp
Date:           Thu Jul 16 18:11:53 UTC 2009

Modified Files:
        pkgsrc/www/drupal6: Makefile distinfo

Log Message:
This release fixes security vulnerabilities. Sites are urged to upgrade 
immediately after reading the security announcement:

    * SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed 
since the 6.12 release:

    * - Patch #463450 by wulff: fixed documentation glitch.
    * #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string 
split() function does not behave like PHP explode(); causes problems with 
multiple node body break tags
    * #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a 
possible CSS query character, since that is the Drupal path name character too
    * #452704 by andypost, catch: Names of compressed CSS and JS files should 
have a prefix, so that names starting in ad* will not happen. Those are easily 
blocked by firewalls, Firefox's Adblock, etc.
    * #468732 by andypost: cache_clear_all() mentioned cache_flush_delay 
incorrectly; it should say we use cache_lifetime
    * #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not 
needed; menu already sets the title and is localized
    * #398902 by Nick Urban, alexanderpas, kscheirer: password equality 
checking was not using strict type checking; we should assume these are strings 
and compared character to character
    * #479216 by jhedstrom: fix grammar in forum module messages
    * #445748 by Dave Reid, dww: Fix module support for disabled module update 
status checking and do not track usage in that case.
    * #465190 by Heine: The Anonymous name is a plain text setting, so it 
should be escaped properly for output.
    * #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to 
run on cron were not actually triggered.
    * #226479 by gpk, BrianV, catch: We should always show the node access 
rebuild button. The check on when to show it was fragile, so the button might 
not have been there when actually needed.
    * #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass 
on the instance identifier (database prefix).
    * #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only 
calling file_space_used() when a limit is provided.
    * #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was 
used but not documented.
    * #145733 by kepten, brianV: The session.use_cookies PHP setting is 
required by Drupal, but it can be turned off, so try to ensure it is turned on 
at all times.
    * #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs 
explicit type casting to ensure that values are kept properly.
    * #236657 by hctom, swentel: In system_clear_cache_submit(), the function 
arguments were swapped (but it did not affect how it actually worked).
    * #243253 by Benjamin Melançon, dww: Update status should not attempt to 
request update data until a limit is reached. Fixed Drupal instances when 
drupal.org is down and gets less load on Drupal.org if data is not found.
    * #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from 
remote links and link in a more user friendly OpenID provider list.
    * #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site 
slogan, just like footer message and mission
    * #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, 
so that it encourages to set the body of the email as an array (like core does).
    * #329797 by berenddeboer, redndahead, danielb: The tablesort code did not 
account for possibly nested tables; only match immediate descendats, so 
elements of nested tables are not matched.
    * #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check 
on translations should only be applied to the default textgroup. Strings in 
other textgroups such as blocks and menu items are displayed via escaping and 
filtering, and might contain arbitrary HTML.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/drupal6/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/drupal6/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.